:Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows'. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.

:Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows'. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Talks:

Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders.

So you thought you were safe using AngularJS? Think again! - Lewis Ardern

AngularJS is one of those wonderful frameworks that seems to hide so many of JavaScript’s warts. But while Angular adds much-needed features to the language, it also creates a handful of new security problems for developers to discover and work around. Lewis will walk you through an application that illustrates security issues discovered in real-world applications and will explain the problem with usable solutions.

Lightning Talk: OWASP Summit 2017 Outcomes - Dinis Cruz

Dinis will introduce the numerous outcomes delivered during the OWASP Summit 2017 workshops and brain-storming sessions and will discuss the next steps

The OWASP CRS is a set of generic attack detection rules for use with ModSecurity (or compatible) Web Application Firewall (WAF) that saw a new major release in November 2016. CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode.

Speakers:

Lewis Ardern

Lewis Ardern is a security consultant at Synopsys/Cigital, where he specializes in application security, red teaming, and network assessments. He’s the founder of the Leeds Ethical Hacking Society and has helped develop projects such as SecGen, which generates vulnerable virtual machines on the fly for security training purposes. Lewis is currently working toward his PhD in web security.

Christian Folini

Christian Folini is a partner at netnea AG in Berne, Switzerland. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian turned to defending web servers which he thinks equally challenging. With his background in humanities, Christian is able to bridge the gap between techies and non-techies. He brings more than ten years experience in this role, specialising in Apache / ModSecurity configuration, DDoS defense and threat modeling. Christian is a frequent committer to the OWASP ModSecurity Core Rules project (he is also the author of the Second Edition of the ModSecurity Handbook), vice president of Swiss Cyber Experts (a public private partnership), program chair of the Swiss Cyberstorm conference and many other things.

Dinis Cruz

Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows'. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.

RSVP

This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and information security. Please note that you MUST book your place to be admitted to the event by the building security.

Speaking at OWASP London Chapter Events

Call For Speakers

Call For Speakers is open - if you would like to present a talk on Application Security at future OWASP London Chapter events - please review and agree with the OWASP Speaker Agreement and send the proposed talk title, abstract and speaker bio to the Chapter Leaders via e-mail:

Payment systems are part of our everyday lives, with most of the transactions performed through the use of a Point-of-Interaction (POI) device or a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and a secure communications channel, the Point of Sale (POS) is still a target for cyber-criminals. The malware affecting point-of-sale systems seen in previous years has demonstrated that criminals continually adapt to find ways to target card payment channels and keep the cycle going. This presentation however, attempts to go a step further and asses payment systems from a hypothetical attacker's point of view, by undertaking at threat modeling exercise against payment systems. The purpose of the threat modeling is to provide defenders with a number of scenarios (attack vectors) that it is possible to be used by attackers, while their activity remain unnoticed. One of the most important lessons of this Threat Modeling exercise was the discovery of a potential scenario that could allow cyber-criminals to shift from targeting Card Holder Data (CHD) to targeting the money directly,

Dinis will update us on the latest OWASP Top 10 2017 Release Candidate, the proposed changes and the controversy surrounding the new A7.

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM - Apostolos Giannakidis (PDF) (video)

A great number of Java applications utilize native Object Serialization to transfer or persist objects. Recently it has become popular the fact that the deserialization process in Java is flawed and if not used properly it can be easily abused by attackers. This talk provides an introduction and detailed overview of the problem of Java deserialization. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work. Additionally, you will learn what solutions exist to the problem and the advantages and disadvantages of each. Finally, a new approach will be presented that protects the JVM from these attacks using a completely different approach than any other existing solution.

Lightning Talk 2: Security solutions for developers who have no time for security - Edwin Aldridge (video)

Within a large organisation different IT groups support different business areas. They typically use different technology stacks and operate different SDLCs. Small projects in particular have short development cycles and do not always have time to educate new developers in secure coding. This makes targeting of security education difficult and training which is not followed up by practice is quickly forgotten. The OWASP Cheat Sheets provide an concise source of sound advice but they can still leave the development team with a lot to do. They can be more complicated than necessary for a simple project. This lightning talk aims to sound out interest in an even more concise approach compared with OWASP Cheat Sheets.

Speakers:

Dr. Grigorios Fragkos

Dr. Grigorios Fragkos is the Head of Offensive Cybersecurity for DeepRecce. He has a number of publications in the area of Computer Security and Computer Forensics with active research in CyberSecurity and CyberDefence. His R&D background in Information Security, including studies on applied CyberSecurity at MIT, along with his experience in the CyberDefense department of the Greek military, is invaluable when it comes to safeguarding mission critical infrastructures. Written the next generation SIEM as part of his PhD research with “notional understanding” of network event for real-time threat assessment. Grigorios (a.k.a. Greg) has been invited to present in a number of security conferences, workshops and summits over the years, and he is also the main organiser for Security BSides Athens. Thinking ahead and outside-the-box when dealing with information security challenges is one the key characteristics of his talks.

Apostolos Giannakidis

Apostolos Giannakidis is the Security Architect at Waratek. Before joining Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than a decade of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.

Dinis Cruz

Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows'. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.

Edwin Aldridge

Edwin Aldridge is an IT security consultant with a background in development who has worked for various financial institutions in the City of London and is currently focused on application security and red teaming

RSVP

This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and information security. Please note that you MUST book your place to be admitted to the event by the building security.

Many application security teams scramble to pinpoint vulnerabilities and flaws during the testing and release stages while managing limited security resources, a multitude of compliance regulations, and surprise feature requests. Although security teams try to follow the right application security practices, many applications are shipped with fragmented security. The most common denominator is the reliance on dynamic and static testing tools during the final stages of the lifecycle. In this session, learn about the benefits of building security during the requirements phase or the first stage of the software development lifecycle (SDLC).

Double-Submit Cookie Pattern Protection against cross-site request forgeries (CSRF) is a popular option in stateless applications as it doesn't require the server to store a token value between requests. Instead, the server will verify a token value stored in a cookie against a request parameter. Unfortunately, many popular implementations of this defense pattern can be defeated by attackers and this talk will discuss the misconceptions and pitfalls that may render this protection insufficient. We will look at how the CSRF protection in an AngularJS application using the popular Express.js middleware csurf on the server-side can be defeated. We will also show the options for configuring it securely.

PostMessage API is a known source of DOM XSS vulnerabilities on web sites. Browser extensions can use messaging too, and if an extension fails to handle incoming messages securely enough it may lead to a universal XSS. This talk will present an analysis of Chrome extensions that aimed at discovering vulnerabilities caused by insecure postMessage listeners in content scripts that are inserted by browser extensions into web pages. The research will demonstrate the examples of vulnerable Chrome extensions and explain the threats which they present to the end-users and how they can be mitigated.

Speakers:

Kevin Delaney

Kevin Delaney is an application security professional from Toronto, Canada. With diverse experience in software development, security, and enterprise IT, he takes personal pride in solving challenging security problems and helping businesses stay one step ahead of attackers.

David Johansson

David Johansson has worked as a security consultant for several leading IT-security companies and has over 9 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Cigital (a part of Synopsys).

Arseny Reutov

Arseny Reutov is a web application security researcher from Moscow, Russia. Arseny is the Head of Research Team and Application Security Tools Development Unit at Positive Technologies Ltd where he specializes in information security issues, penetration testing and the analysis of web applications and source code. He is also the author of various security research papers and the security blog raz0r.name. Arseny has participated in various bug bounty programs and acknowledged by well-known software vendors. He was a speaker at ZeroNights, CONFidence, PHDays and other conferences. Arseny loves making web security challenges (#wafbypass on Twitter) as well as solving them. His passion are modern web technologies and finding vulnerabilities in them.

Thursday, 26th January 2017 (Central London)

The next OWASP London Chapter meeting will take place on Thursday, 26th January 2017 at 18:30 (we start on time!)

Substantial effort has been put into the design of secure solutions for authenticating users. However, the privacy of end users has rarely been given as much attention in these solutions. This often leads to design flaws that let the identities of end users be exposed to parties they not necessarily intended to disclose it to. This talk will present a set of privacy requirements for protecting end users during authentication and show some examples of solutions where the end user’s privacy can be compromised because one or more of these requirements are not met. For example, we will see how design flaws in TLS client certificate authentication can be abused by attackers to identify users in both passive and active network attacks, and look at how the upcoming TLS 1.3 standard addresses this.

Dinis will talk us through the open source tool he has been building for some time - the tool to perform and visualise the assessments using the OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM) .

Speakers

David Johansson

David Johansson has worked as a security consultant for several leading IT-security companies and has over 9 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Cigital (a part of Synopsys).

Dinis Cruz

Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.

Francois Raynaud

Francois is the founder of DevSecCon a conference dedicated to DevSecOps, the fusion of Devops and Secops. He is actively involved in security automation projects supporting continuous delivery and currently working as the enterprise security architect for a global retailer preceded by 17 years at ASOS, Betfair, Verizon Business, HSBC and RSA where his consulting engagement spanned across implementing CERT teams, incident response strategy, security architecture design, IT security management and penetration testing.

RSVP

This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:

The International Director of the PCI Security Standards Council will take us on a journey around some wonderful sights of Europe using the images to reflect on and relate to the challenges and successes that we all face in protecting data. In his talk Jeremy will talk about the potential impact of Brexit on security and will discuss the latest changes in PCI DSS related to TLS, Multi-Factor Authentication and Secure Software Development Requirements.

Shane will talk about myBBC Security Council and how it demonstrates an organisational approach towards security that ensures the right decisions are made by the right people, and that developers can raise concerns knowing that they will be seen and escalated. It also frames InfoSec as an enabling force rather than a loophole

JSON hijacking is supposedly dead after the Array constructor and "Object.prototype" setter bugs have been patched or is it? This talk will show how it's still possible to steal JSON data cross domain using various browser bugs. Gareth will take us on an epic journey of bug discovery and if we have time he may even bypass CSP for fun.

Speakers

Jeremy King

Jeremy is the International Director of the PCI Security Standards Council. He leads the PCI Council's efforts in increasing adoption and awareness of the PCI Security Standards internationally. In this role, Mr. King works closely with the Council's General Manager and representatives of its policy-setting executive committee from American Express, Discover, JCB International, MasterCard, and Visa, Inc. His chief responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SSC managed standards through all international markets, and driving education efforts and Council membership recruitment through active involvement in local and regional events, industry conferences, and meetings with key stakeholders. He also serves as a resource for Approved Scanning Vendors, Qualified Security Assessors, Internal Security Assessors, PCI Forensic Investigators, and related staff in supporting regional training, certification, and testing programs.

Gareth Heyes

Gareth works as a researcher at Portswigger and loves breaking sandboxes and anything to do with JavaScript. He has developed various free online tools such as Hackvertor and Shazzer. He also created MentalJS a free JavaScript sandbox that provides a safe DOM environment for sandboxed code. Gareth has been a speaker at many security conferences including the Microsoft BlueHat, Confidence Poland, and OWASP Application Security Conferences. Gareth also co-authored the "Web Application Obfuscation" book, which was named a 2011 Best Hacking and Pen Testing Book by InfoSec Reviews

Shane Kelly

Shane is a Senior Software Developer at The BBC, with a keen interest in security. Prior to the BBC he worked for the travel aggregator Travelfusion, and the anti-money laundering firm Fortent (formerly Searchspace).

Goran Sarenkapa

Goran is a core member of OWASP ZAP development team and a lead developer on OWASP ZAP Jenkins plugin project

RSVP

This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:

We are excited to announce the OWASP London Hackathon and CTF event which will be taking place on the evenings on 28th and 29th of November 2016 in Central London.

CTF (Capture The Flag) is a type of computer security competition. Contestants are presented with a set of challenges and puzzles which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories and when solved, each yields a “flag” which is submitted to a real-time scoring service. The difficulty levels are from beginner to advanced.

CTF tournaments are a great and fun way for software developers to learn a wide array of applications security skills in a safe and legal environment.

With the rise of the new breed of cyber-terrorism perpetrated by extremist groups such as ISIS/Daesh, an alarming new dimension has been added to the threat landscape

The Thermostat, The Hacker, and The Malware - Ken Munro and Andrew Tierney (PDF)

Following the PoC of thermostat ransomware Ken Munro and Andrew Tierney performed at DefCon 24, this presentation digs even deeper into IoT devices and their apps. Staying with the thermostat Ken and Andrew will walk through the ransomware attack and then move onto general malware - which has no easy method for detection. Even when firewalled these devices are still vulnerable to local attacks so we’ll show you how you can achieve a compromise. We’ll also take a look at CSRF spraying, IoT gear in public areas, supply chain tampering, and malicious firmware updates.

Fairly regularly on consultancy jobs, you encounter a "random" number that is actually just the time, or a PRNG seeded with the time, or a hash of the time, etc.. If you had to guess the time on a remote server to a tolerance of a microsecond, how many requests would it take?

Speakers

Ken Munro

Ken Munro is a successful entrepreneur and is founder and partner in Pen Test Partners, a partnership of like-minded professional penetration testers all of whom have a stake in the business. He takes a key role in conducting investigations as well as encouraging team members to pursue their own research, the results of which are published on the company blog and in the wider media. Ken has a wealth of experience in penetration testing but it’s the systems and objects we come into contact with on an everyday basis that really pique his interest. This has seen him hack everything from hotel keycards, to cars and a range of Internet of Things (IoT) devices, from wearable tech to children’s toys (Cayla) and smart home control systems. Ken has been in the infosecurity business for 15 years.

Andrew Tierney

Andrew Tierney is a security consultant at Pen Test Partners. Prior to this he gained notoriety for his blog where he documented his findings regarding embedded systems such as routers, intruder alarms, thermostats, IP cameras, and DVRs. He expanded his skills into the realms of IoT web applications and mobile applications before joining the team. With a background in electronic engineering, Andrew employs some novel techniques for attacking embedded systems, such as simple and differential power analysis, firmware recovery, and glitching attacks. He has experience in both writing and disassembling a multiple of architectures, including ARM, MIPS, x86, AVR, and PIC, he is capable of reverse engineering a wide spectrum of devices from the smallest 8bit microcontoller up to the latest Android phones.

Dinis Cruz

Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.

Khaled Fattal

Khaled Fattal is the Group Chairman of The Multilingual Internet Group. He is also the President Advisory Committee Member on Internationalised Domain Names (IDN) at ICANN (Internet Corporation for Assigned Names and Numbers). Khaled has been a strong advocate of Internet multilingualism and is an active promoter of research, development, education & deployment projects which help to make the Internet more usable and inclusive. Recently Khaled has been actively researching the topics of cyber-terrorism from threat actors such as ISIS/Daesh and the rogue states

Chris Anley

Chris Anley is Chief Scientist at NCC Group. He is the author of several innovative papers on application security, including "Advanced SQL Injection", "Hackproofing MySQL" and the paper introducing "Venetian" shellcode. He is the lead author of "The Shellcoder's Handbook", arguably the definitive book on discovering and exploiting arbitrary-code security vulnerabilities, and co-author of "The Database Hacker's Handbook" and "SQL Server Security". He has discovered security flaws in a wide variety of platforms including Microsoft Windows, Apple OSX, Oracle, SQL Server, IBM DB2, Sybase ASE, MySQL, and PGP.

RSVP

This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:

Talks

There are a huge number of technologies available to help us better secure our websites, but it can be difficult to know about all of them. In this talk I'm going to show you some of the headline acts in the HTTP Response Header category and just how easy it can be to quickly and effectively boost security and offer better protection to your visitors.

There's a lot of discussion around achieving application security automation within the development pipeline. In this talk you will experience an approach to using Threadfix and its "Policies" feature to determine the security exposure of a release and using a tool called Donatello to output the result back into the continuous integration and delivery flows. Additionally, the speakers will be presenting some of their ideas for a second version of Donatello which will be taking a lot more static & dynamic attributes into account in the form of an Application Security Passport.

Become a Source Code Hero With New Code Analysis Tool for Developers, Jacks.

Jacks is changing the way development teams approach the security dilemma, by giving developers the skills they need to own the security of their applications and to build safer apps from the start

Speakers

Scott Helme

Scott Helme is an internationally renowned speaker, security researcher, pen tester, consultant and blogger. Scott is also the founder of report-uri.io and securityheaders.io - free online tools which help thousands of organisations around the globe to deploy better security.

Lucian Corlan

Lucian is a Senior Application Security Solutions Manager at SagePay.
Lucian holds a number of security certifications – MSc ITSec, MA Security Studies, CISSP, CSSLP (a), CISM, CISA, CEH, OSCP, SABSA Foundation and has previously worked for Betfair in the InfoSec/AppSec Manager and Acting Head of AppSec roles. Lucian has also led one of the Romanian OWASP Chapters and is still involved in OWASP. Before that he worked for several multi-national organisations in the banking (chip card security & app security) and telecom (infra & app security) sectors. If there’s any free time left…, he spends it meddling with astronomy (planetary & galactic), reading philosophy/crypto detective books and dissecting bits of geo-economy politics.

Chris Rutter

Chris is a software developer who has bought into the crazy idea that
software security is a measure of quality, right up there with
business functionality and performance. He enjoys perfecting ways to
defend his applications from any and all kinds of malicious nasties
and educating other developers on said nasties. He has spent the last
few years easing PCI-level security practices into an agile, 1 week
sprint, continuous delivery environment using a mixture of education,
automation and teamwork.

Lewis Ardern

Lewis Ardern is a Consultant at Cigital, Inc. Lewis is Ph.D. candidate at Leeds Beckett researching into Web Security, with a focus on client-side security. He’s the founder of the Leeds Ethical Hacking Society and has helped develop projects such as SecGen (https://github.com/SecGen/SecGen) which generates vulnerable virtual machines on the fly for security training purposes.

RSVP

This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:

Drones or Unmanned Aerial Vehicles (UAVs), have undoubtedly attained a prominent position in contemporary and future defense technologies. It has been increasingly used for Surveillance, Reconnaissance and have been planned to stop crude oil theft, to deliver online shopping products and even pizza. It remains important to understand their security and implication. This talk will explore different kind of drones and their associated vulnerabilities hence giving chance to audience to understand their flaws and work for anti-hacking solutions.

The presentation will start with a history of ransomware from simple lockers to recent trends. Although currently ransomware follows good secure development practices, this is not always the case. We'll see in what circumstances we can get our files back and how. This will make you think twice before paying the ransom and, for some samples, think twice before clicking that tempting link for 'summer photos'.

Speakers

Aatif Khan

Aatif Khan is cyber security researcher who comes with over a decade of experience in information security. Apart from consulting on application security, he has also delivered infosec training's to corporate, defense personnel and cyber crime police officials. He has previously presented talk at OWASP Singapore, Malaysia, India and Dubai. He has also authored papers on Advance Persistence Threats, Hacking the Drones, Web Security 2.0, Android Application Penetration Testing.

Liviu Itoafa

Liviu Itoafa is a security researcher with a strong interest in malware analysis and investigating security incidents. He has been working in the field of Information Security for more than 7 years on developing (secure) software, application pentesting and reverse engineering. He became a coding enthusiast long time ago, when he found out how to do game cheats and many other interesting stuff with the C programming language and a little Assembly.Now, as a security researcher at Kaspersky Labs, he is having fun investigating malware samples. He also runs malware analysis and reverse engineering workshops.

Sherif Mansour

Sherif Mansour has been working in the field of Information Security for the last 12 years, and is currently leading the Software Security Program at Expedia Inc. He has contributed to the OWASP AppSensor project and his security research has led to a few findings in software developed by Microsoft, Oracle, SAP and SiteSpect. He currently helps manage the Royal Holloway Information Security (ISG) Alumni Group as well as the OWASP London Chapter

RSVP

This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building by the Microsoft(Skype) security reception.

Imagine a world where a developer can have her/his code pushed into production a few minutes after its checked in. How do you engrain web application security in such a development pipeline? How do you keep track of the security issues? In this talk we'll discuss some of the security challenges for this paradigm shift and how OWASP can help development teams navigate some of these challenges.

This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.

Speakers

Justin Clarke

Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of "SQL Injection Attacks and Defenses" - published May 2009 by Syngress, co-author of "Network Security Tools" - published April 2005 by O'Reilly, contributor to "Network Security Assessment, 2nd Edition", as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Justin is the outgoing Chapter leader of the OWASP London chapter.

Sherif Mansour

Sherif Mansour has been working in the field of Information Security for the last 12 years, and is currently leading the Software Security Program at Expedia Inc. He has contributed to the OWASP AppSensor project and his security research has led to a few findings in software developed by Microsoft, Oracle, SAP and SiteSpect. He currently helps manage the Royal Holloway Information Security (ISG) Alumni Group as well as the OWASP London Chapter

Dinis Cruz

Dinis is creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.

RSVP

Thursday, June 11th 2015 (Central London)

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Time: 18:30 to 20:30 (BST) (We start on time)

Talks

OSINT SECURITY 2.0 Past, Present and Future - Christian Martorella

How OSINT will play an important role in the future, helping to predict, prevent and react against incidents that threaten the Global security. The presentation will delve into the tools and techniques that enable OSINT practitioners to measure the Global security signals conveyed by the Internet. Multiple facets of information dissemination, collection, analysis and interpretation will be examined, with a focus on the security dimension of the information.

Topic To be confirmed - Justin Clarke

Exciting OWASP topic to be confirmed!

Speakers

Christian Martorella

Christian Martorella has been working in the field of Information Security for the last 14 years, currently working in the Product Security team at Skype, Microsoft. Before he was the Practice Lead of Threat and Vulnerability, for Verizon Business, where he lead a team of consultants delivering Security testing services in EMEA for a wide range of industries including Financial services, Telecommunications, Utilities and Government. He is cofounder an active member of Edge-Security team, where security tools and research is released. He presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits and OWASP meetings. Christian has contributed with open source assessment tools like OWASP WebSlayer, Wfuzz, theHarvester and Metagoofil. He likes all related to Information Gathering, OSINT and offensive security

Justin Clarke

Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of "SQL Injection Attacks and Defenses" - published May 2009 by Syngress, co-author of "Network Security Tools" - published April 2005 by O'Reilly, contributor to "Network Security Assessment, 2nd Edition", as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter.

The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.

Thursday, September 18th 2014 (Central London)

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: John Smith, Joe Pelietier, Colin Watson

Global Application Security Survey & Benchmarking - John Smith

This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.

Anatomy of a Data Breach - Joe Pelletier

The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.

Thursday, May 15th 2014 (Central London)

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Hacker Fantastic, Colin Watson

Heartbleed Teardown - Hacker Fantastic

An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.

The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.

Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.

The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.

Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).

Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

Thursday, December 12th 2013 (Central London)

Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...

OWASP Cornucopia - Colin Watson

Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.

Thursday, October 24th 2013 (Central London)

Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz

This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.

OWASP Mobile Top 10 - Justin Clarke

The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.

Thursday, November 8th 2012 (Central London)

In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.

This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.

The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.

ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!

Thursday, March 29th 2012 (Central London)

We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.

Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.

"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."

Friday, June 3rd 2011

Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

Thursday, April 14th 2011

Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit

Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future

Thursday, February 17th 2011

Location: ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA

A special meeting event, in conjunction with London Geek Nights on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.